How to Fix America's Harmful Hacking Laws

Below:

Next story in Innovation

Many technology-law experts feel there's too much leeway for
prosecutors under the 1986 Computer Fraud and Abuse Act, allowing
prosecutors to rack up serious charges for what may seem like
minor offenses to outsiders.

The Aaron Swartz case may be a perfect example of such overreach.
The young programmer, who was indicted twice under the CFAA,
faced 50 years in prison for allegedly
downloading 4 million academic-journal articles.

Swartz hanged
himself in his Brooklyn apartment last week, two days after
his lawyer and prosecutors reportedly failed to reach a plea
deal.

Adam Goldstein, an attorney advocate at the Student Press Law
Center in Arlington, Va., said, "the language of [the CFAA] could
be tighter, [but] that's not why things are going horribly wrong"
with computer-related prosecutions.

"What's going wrong with these prosecutions," he said, "is that
any prosecutor in any corner of the country can prosecute a
computer crime, even though he or she may know absolutely nothing
about computers and have only a rudimentary understanding of what
the laws were even designed to prohibit."

Not only did her office issue a four-count indictment of Swartz
in July 2011, with maximum penalties of 35 years in prison, but
in September 2012 it superseded the original filing with a
13-count indictment that added 15 more years.

"These sentences make no sense to me," said Chester Wisniewski, a
senior security analyst in the Vancouver, British Columbia,
office of the British firm Sophos. "While I take copyright and
digital crime very seriously, I can't explain or justify these
penalties."

On Wednesday (Jan. 16), Ortiz issued a statement that she and her
office didn't really intend to throw Swartz into prison for five
decades.

"There was no evidence against Mr. Swartz indicating that he
committed his acts for personal financial gain," Ortiz said.
"This office sought an appropriate sentence that matched the
alleged conduct — a sentence that we would recommend to the judge
of six months in a low-security setting."

The charges against Swartz were dropped after his suicide.

"In my experience, U.S. attorneys tend to
throw the book at defendants," said former federal public
defender Hanni Fakhoury, a staff attorney at the Electronic
Frontier Foundation in San Francisco.

"The 'tough' prosecutors are the ones who get promoted and have
their careers advanced," he said. "This isn't unique to Aaron's
case or the CFAA: it's a problem in federal criminal law,
period."

Robert Graham, chief executive officer of Errata Security in
Atlanta, said it comes down to the way the CFAA and related laws
were written.

"Laws target the means rather than the ends," Graham said. "This
allows you to be prosecuted because you
use the same means [as a criminal], but for legitimate ends.
Almost anybody can be prosecuted for illegal use of a computer if
prosecutors wanted to."

Christopher Soghoian, a senior policy analyst at the American
Civil Liberties Union, was more blunt.

"The offenses that Swartz was accused of were not motivated by
profit, nor did they involve actual hacking," Soghoian said.

Some experts we spoke to think reform of the CFAA and related
statutes might be possible even in such a political environment.

"Change has to come from them [Congress], ultimately, and I'm
convinced if we get enough people concerned about the abuse of
this law, there can be some meaningful reform," Fakhoury said.
"They did, after all, drop SOPA [the
Stop Online Piracy Act ] when it became clear there was a lot
of dissatisfaction with it."

"I think we can trust Congress to do this, honestly, because I
think they know that they don't understand these crimes,"
Goldstein said. "I believe they can understand that their
ignorance is doing harm. And what member of Congress wants to
oppose creating a system that will better prosecute electronic
crimes?"

Her proposal, which she called " Aaron's Law," would exclude violations of
private agreements and obligations, such terms-of-service
agreements, acceptable-use policies and employment contracts,
from being considered unauthorized access.

It would, in essence, mean you'd no longer be breaking the law by
using a friend's Netflix account.

A prosecutor might have argued that Swartz, who used MIT's
on-campus network to download the archived journal articles, was
not associated with MIT and hence was not party to the
contractual agreement MIT had with the academic archive.

(Swartz was associated with Harvard and was entitled to access
the archive from Harvard's network using Harvard's paid
subscription.)

Graham was less optimistic about the prospect for legislative
reform, observing that Congress responds "to the will of the
people, and the people don't understand this issue, either."

"The people don't know how computers work. It's all witchcraft to
them," he added. "Hackers are witches; the people want to see
them burned."

Instead, Graham suggested abolishing the CFAA entirely.

"The solution is not to reform it, but remove it," he said.
"Focus on the actual crimes, such as espionage or stealing money,
and not on the idea of 'accessing a computer without
authorization.'"

Special experts for special cases

Goldstein, on the other hand, thinks the solution to handling
electronic infractions already exists — it just isn't being used
properly.

"When we have an area of the law we think is really complicated,
we set up some kind of body, either investigative or judicial, to
help ensure the laws are enforced correctly," he said.

"After Sept. 11, the federal government realized that terrorism
cases are sophisticated, subtle and aren't easy for your average
cops and prosecutors to identify. The Department of Justice set
up the Joint Terrorism Task Force (JTTF), a clearing house for
terrorism information with local groups of experts set up to
analyze and prosecute terrorism crimes.

"The Patriot Act itself also directed the Secret Service to set
up the Electronic Crimes Task Force," Goldstein said. "But
electronic crime prosecutions just aren't being 'cleared' through
ECTF the same way terrorism prosecutions are cleared through
JTTF.

"If you search the ECTF website, Aaron's name doesn't come up,
which makes you wonder what the heck it's for. So what needs to
happen, really and truly, is for the ECTF to become a branch of
the Department of Justice like the JTTF, so it [becomes] able to
meaningfully involve itself in these cases the way JTTF does."